Florida Federal Court Decision Illustrates Importance of Employer Vigilance Against Copying or Taking of Company Computer Data by Departing Employees (October 11, 2006)

This is a follow up to our earlier Alert on the Computer Fraud and Abuse Act (CFAA) and how the CFAA can be used by a company against departing employees who damage or destroy the company’s computer data or steal it in the process of leaving to join a competitor.  

The CFAA is a federal law that provides criminal penalties and civil enforcement powers to prevent damage or destruction of a company’s computer system or its data, or theft of its computer data.  The CFAA applies to outside “hackers” and others with “unauthorized access” to a company’s computer system as well as a company’s employees, consultants and other “insiders” who “exceed authorized access” to damage or destroy a company’s computer system or its data, or steal its data.  Companies can use the CFAA to sue wrongdoers if a company’s damages exceed $5,000 in any one-year period (including costs to restore or replace data and update computer security as well as lost revenue and losses from interruption of service). 

Our earlier Alert highlighted a decision from the Seventh Circuit U.S. Court of Appeals holding that a departing employee who destroyed a company’s computer data before leaving its employment by installing and running a “secure-erasure” program on his company-owned laptop had lost or exceeded his authorized access to the company’s computer system and “transmitted” a program intended to damage the employer’s computer or its data, in violation of the CFAA.  See “Computer Fraud and Abuse Act Offers Employees Additional Remedies Against Wrongful Conduct by Departing Employees” (June 5, 2006).

Recently, a U.S. District Court in Florida held that departing employees who copied hundreds of their employer’s confidential computer files on to compact disks before leaving employment and then delivered those files to a competitor did not violate the CFAA.  In Lockheed v. Speed, the federal court decided that these departing employees did not violate the CFAA because Lockheed permitted them, as a function of their job positions, to access the specific computer files in question.

Lockheed argued that the employees had lost or exceeded their permissible authority for the company because they were acting on behalf of or for the benefit of a competitor in breach of their duty of loyalty to Lockheed and with an intent to steal the company’s confidential computer files and deliver them to a competitor.  Therefore, according to Lockheed, the departing employees accessed the company’s computer system "without authorization" or “exceeded authorized access” in violation of the CFAA.

However, the Lockheed court noted that the CFAA defines "exceeds authorized access" to mean that an employee accesses a computer with authorization and then uses such access “to obtain or alter information in the computer” that he or she is “not entitled … to obtain or alter.” The court applied the plain meaning of this statutory definition to the facts of the case and concluded that the departing employees had authorization to access Lockheed’s computer system and the computer files they copied, as a function of their job positions, and did not exceed their authorization simply because they purportedly acted for the benefit of a competitor.  The court also held that the CFAA did not apply to the departing employees’ subsequent conduct in delivering the copied computer files to a competitor.  Thus, the court ruled there was no violation of the CFAA. 

The Lockheed decision likely will be appealed.  Federal court decisions in other states have held that departing employees who accessed their employer’s computer system and “transmitted” confidential computer data to a new employer via e-mail before leaving their employment with the current employer violated the CFAA because they lost or exceeded their authorized access when they began acting as agents for a new employer.

Nevertheless, the Lockheed decision and other court opinions applying the CFAA offer valuable lessons for employers wanting to guard against wrongful misappropriation of confidential computer data by departing employees.  To avoid violations, employers may want to establish policies prohibiting the copying or taking of a company’s computer data for transmission or delivery to outside parties without the company’s express authorization.